[Sophira]

My understanding (which may be incorrect) is this:

On the login page of the web version of Discord, you have the option to log in in two ways: either by using a username/password combination, or by scanning a QR code with the Discord app on your mobile.

The QR code is linked to your desktop session, and scanning the QR code with a mobile device will cause Discord to authenticate the desktop session with the credentials stored on the mobile.

Thus, if the attackers take one of the QR codes from their own desktop session and give it to you, scanning it will authenticate their desktop session with your credentials.

The QR codes have a rotating code that's meant to prevent old QR codes from being used, but that only means that the attackers just need to re-request the QR code every so often and show the new one.